Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
11-10-2021 11:20
Static task
static1
General
-
Target
43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe
-
Size
770KB
-
MD5
1ca9583e6f4524151c23b0baa273d9ff
-
SHA1
ad39613a3e42aa165931dda8b9c3832e2e7184c8
-
SHA256
43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1
-
SHA512
ed762bfbd39dfc5110389818c3f99ca753072f11d8fef749e848f5cc9535fa010ba6eb9b788b5b358241e8ef7b1b77bbfb8ada10b5c83771bd7a9cc03199c1ba
Malware Config
Extracted
Family
vidar
Version
41.2
Botnet
1008
C2
https://mas.to/@serg4325
Attributes
-
profile_id
1008
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4352 created 3556 4352 WerFault.exe 43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe -
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3556-117-0x0000000000400000-0x0000000001735000-memory.dmp family_vidar behavioral1/memory/3556-116-0x0000000003380000-0x0000000003456000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4352 3556 WerFault.exe 43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe 4352 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4352 WerFault.exe Token: SeBackupPrivilege 4352 WerFault.exe Token: SeDebugPrivilege 4352 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe"C:\Users\Admin\AppData\Local\Temp\43de6b1c289cd8ba1d2889346359b521990ca38f69b1961034000dab3c4104e1.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 9402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken